state mismatch error

[Anexsoft]

State mismatch

I'm having this error on my second attempt of login. After my token expired (24h), the APP redirects my user to the login screen (another service) and when it makes a successful login, it redirect my user to my APP giving this kind of errors:

1. BadRequestError: state mismatch, expected eyJyZXR1cm5UbyI6Ii9yb2JvdHMudHh0In0, got: eyJyZXR1cm5UbyI6Ii8ifQ
2. BadRequestError: checks.state argument is missing at callbackStack

Sometimes is error 1 or 2.

But despite this error, if the user goes to the home page he sees that he is logged in and he can starts use the APP.

This error gives a bad user experience.

What was the expected behavior?

Avoid the error page on callback page.

Reproduction

We are using Node JS with ** Express 4.17.1 **, everything works well except for the lines discussed above.

It seems that the issue is reproduced by transientHandler.js, exactly on the next lines:

  getOnce(key, req, res) {
    if (!req[COOKIES]) {
      return undefined;
    }

    let value = getCookieValue(key, req[COOKIES][key], this.keyStore);

    this.deleteCookie(key, res);

    if (this.legacySameSiteCookie) {
      const fallbackKey = `_${key}`;
      if (!value) {
        value = getCookieValue(
          fallbackKey,
          req[COOKIES][fallbackKey],
          this.keyStore
        );
      }
      this.deleteCookie(fallbackKey, res);
    }

    return value;
  }

The value comes undefined and for that reason the APP makes an exception related to state mismatch.

Environment

Our OIDC configuration

module.exports = (app) => {
    app.use(
        auth({
            issuerBaseURL: process.env.JZ_AUTH_AUTHORITY,
            baseURL: process.env.JZ_BASE_URL,
            clientID: process.env.JZ_AUTH_CLIENT_ID,
            clientSecret: process.env.JZ_AUTH_CLIENT_SECRET,

            // cookie
            secret: "xxxxxxxxxxxxxxxxxxxxxxx",
            session: {
                name: "JZ_SC_SESSION",
                rolling: false,
                // 20 hours
                absoluteDuration: 20 * 60 * 60,
                cookie: {
                    // ignore https
                    secure: false
                }
            },

            // authorization params given by identity server
            authorizationParams: {
                response_type: "code",
                response_mode: "form_post",
                scope: "openid email phone profile juntoz jz-public jz-core",
                audience: process.env.JZ_AUTH_AUTHORITY,
                state: "sitecentral"
            },

            // logout the user from identity server
            idpLogout: true
        })
    );
}

• "express": "^4.17.1",
• "express-openid-connect": "^2.0.0

[jgoldfar]

I am running into this issue as well - is there any workaround?

Is this related?

[Anexsoft]

Any idea?

[adamjmcgrath]

Is this related?

@jgoldfar #168 is not related

@Anexsoft

BadRequestError: state mismatch, expected eyJyZXR1cm5UbyI6Ii9yb2JvdHMudHh0In0, got: eyJyZXR1cm5UbyI6Ii8ifQ

These are base64 encoded, the state mismatch looks like:
expected "{"returnTo":"/robots.txt"}" got "{"returnTo":"/"}" - does this help you debug your issue?

[adamjmcgrath]

Also, if you're running your server over http (not https) and seeing intermittent "checks.state argument is missing" errors, take a look at #145 (comment)

[Anexsoft]

@adamjmcgrath my issue is not related to https, because my server works with https.

Not really, the issue is related to state cookie generated by oidc-express because some times is null. I understand the cookie is generated as a CSRF Token.

I'm not sure, but I have one file on my project that sometimes makes a 404 request /manifest.json. Maybe this fail request is clearing my cookie.

[appagg]

I am also seeing this error "BadRequestError: checks.state argument is missing" intermittently if I use google login. No state mismatch error for me though.

[adamjmcgrath]

@Anexsoft - if you're running your server on https - you should also set a secure cookie, is there. any reason you've set the cookie config to secure: false? Can you leave it as secure? Also can you make sure you're on the latest version of express-openid-connect

@appagg - can you take a look at #145 (comment)

[Anexsoft]

Uhmm I replaced all the packages by passport and oidc-client and it's working as I expected :). Of course, it's a litle bit more difficult to config.

[adamjmcgrath]

ok - thanks @Anexsoft - if you want to persevere with getting your setup working with express-openid-connect, feel free to reopen this issue with the answers to my previous questions